[Pki-users] Questions on customizing certificate profiles
Oliver Burtchen
o.burtchen at gmx.de
Thu Apr 8 20:12:40 UTC 2010
Hi Kevin,
thanks for making the differences plain. For me RHBA-2009-1602 is more a new
feature, than a bug fix, but okay. ;-)
It seems that pkisilent does not offer an option to change the hash to SHA-2,
and as I wrote earlier, IMHO it is volitional hard-coded. Most of the rest of
dogtag has code to work with SHA-2.
I will give the "renewal method" a try.
Best regards,
Oli
Am Donnerstag, 8. April 2010 20:51:14 schrieb Kevin Unthank:
> Hi Arshad,
>
> Obviously, there are differences between RHCS8 and the latest release
> of Dogtag. Generally, new feature development takes place in dogtag
> and some of those features find there way back into RHCS8. Bug fixing
> often occurs first in RHCS8 and those fixes are ported to dogtag.
>
> PKI with only SHA-2 hashes is a fix that was made in the RHCS8
> code tree and released in both source binary form in errata
> RHBA-2009-1602. That fix will make it into dogtag builds but I can't
> commit to a specific release or date when this will happen.
>
> Until then it should be possible to work around the problem by using
> pkisilent or the renewal method suggested by Andrew.
>
> Cheers,
> Kev
>
> On 04/08/2010 10:55 AM, Arshad Noor wrote:
> > Can someone from the DogTag Engineering team confirm that a PKI
> > with only SHA-2 hashes *cannot* be built with the current version
> > of the product?
> >
> > I find this hard to believe given that the RHCS documentation seems
> > to indicate that it is possible to do so, and given that the
> > underlying code already has SHA-2 support; nevertheless, can someone
> > confirm Oliver's finding? Thanks.
> >
> > Arshad Noor
> > StrongAuth, Inc.
> >
> > P.S. Since the RHCS 8.0 documentation does state that SHA-2 hashes
> > can be configured at the time the self-signed cert is created, does
> > that imply that the commercial RHCS is technologically different from
> > the open-source DogTag? And, that it isn't just a question of RedHat
> > support?
> >
> > Oliver Burtchen wrote:
> >> Hi @ all,
> >>
> >> I also tried to change from "SHA1withRSA" to "SHA256withRSA" by
> >> editing the config files. No luck!
> >>
> >> I found, this is hard-coded in the sources, for example in:
> >>
> >> - pki-common-1.3.2/src/com/netscape/cms/servlet/csadmin/SizePanel.java
> >> - pki-common-1.3.2//src/com/netscape/cmscore/security/CASigningCert.java
> >>
> >> Just look for "SHA1withRSA" in the files, I don't think this are just
> >> fallbacks.
> >> Best regards,
> >> Oli
> >>
> >> Am Mittwoch, 7. April 2010 03:27:04 schrieb Chandrasekar Kannan:
> >>> On 04/06/2010 05:08 PM, Arshad Noor wrote:
> >>>> The only option that is visible under Advanced is the key-size
> >>>> for each of the certificate-types. The hash algorithm does not
> >>>> show up at all.
> >>>>
> >>>> Even the default, as mentioned by Step 8, is not the default as
> >>>> the last 10-12 installs have shown:
> >>>>
> >>>> * SHA256withRSA (the default)
> >>>>
> >>>> So, the question is: is the current build of DogTag in the pki
> >>>> repository identical to RHCS 8.0 or is it a different version?
> >>>
> >>> It might very well be ... we can look at the svn commits
> >>> to be really sure...
> >>>
> >>>> Arshad Noor
> >>>> StrongAuth, Inc.
> >>>>
> >>>> Chandrasekar Kannan wrote:
> >>>>> the installation wizard should provide 'options' under the advanced
> >>>>> section for you to be able to select the alg to use. Have you tried
> >>>>> doing Step (8) from here ?
> >>>>> http://www.redhat.com/docs/manuals/cert-system/8.0/install/html/Confi
> >>>>>gur
> >>>>>
> >>>>> ing_a_CA.html
> >>>
> >>> _______________________________________________
> >>> Pki-users mailing list
> >>> Pki-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/pki-users
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
--
Oliver Burtchen, Berlin
More information about the Pki-users
mailing list